Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

Netizen: Monday Security Brief (5/11/2026)

Netizen: Monday Security Brief (5/11/2026)

Today’s Topics:

  • Ollama Vulnerabilities Expose Local AI Servers to Memory Leaks and Persistent Code Execution
  • Canvas Breach Update: Instructure Says Core Learning Data Was Not Compromised as Forensic Review Continues
  • How can Netizen help?

Ollama Vulnerabilities Expose Local AI Servers to Memory Leaks and Persistent Code Execution

A newly disclosed Ollama vulnerability is drawing attention to a growing risk in local AI deployments: tools built to keep models and data off cloud infrastructure can still expose sensitive information when their APIs, model loaders, or update mechanisms are left insufficiently protected.

The critical flaw, tracked as CVE-2026-7482 and assigned a CVSS score of 9.1, affects Ollama prior to version 0.17.1. Researchers at Cyera named the vulnerability “Bleeding Llama” after finding that a remote, unauthenticated attacker could abuse Ollama’s GGUF model loader to leak process memory from an exposed server. The issue likely affects more than 300,000 servers globally, according to the report.

Ollama is widely used by developers and security teams to run large language models locally rather than through hosted AI platforms. That local model can reduce some cloud exposure, but it does not remove the need for basic service hardening. In this case, the vulnerability stems from how Ollama handles attacker-supplied GGUF model files during model creation. GGUF, short for GPT-Generated Unified Format, is used to store and load large language models locally. A malicious file with manipulated tensor offset and size values can cause the server to read beyond the allocated heap buffer during quantization.

The practical impact is significant because the exposed memory may contain sensitive data from the Ollama process. Researchers warned that leaked data could include environment variables, API keys, system prompts, proprietary code, customer information, and conversation content from concurrent users. In environments where Ollama is connected to developer tooling or agentic coding assistants, the exposure could extend further, since tool outputs and internal development context may pass through the same process memory.

The attack chain described by researchers is relatively direct. An attacker sends a crafted GGUF file to a network-accessible Ollama server, uses the /api/create endpoint to trigger model creation, and then abuses the resulting model artifact to move leaked data out through the /api/push endpoint. The risk is amplified by the fact that Ollama’s REST API does not provide authentication by default, making internet-exposed instances a high-value target if they are not placed behind access controls.

The disclosure also comes alongside separate research from Striga describing two Ollama for Windows vulnerabilities that can be chained into persistent code execution. Those issues, tracked as CVE-2026-42248 and CVE-2026-42249, involve missing signature verification in the Windows updater and a path traversal flaw tied to how the updater stages installation files. According to the report, Ollama for Windows versions 0.12.10 through 0.17.5 are affected by the two flaws.

The Windows issue depends on an attacker being able to influence update responses received by the Ollama client. Under the right conditions, a malicious executable could be supplied through the update process and written into the Windows Startup folder. Since the Windows client starts on login, this could allow attacker-controlled code to run every time the user signs in. The missing signature verification issue can also allow code execution by itself, with path traversal making the persistence more durable.

For security teams, the broader lesson is that local AI infrastructure should be treated like any other exposed application service. Local deployment does not mean low risk. Ollama instances may hold sensitive prompts, business logic, credentials, code, customer data, and internal operational context. Once these systems are connected to developer tools, automation pipelines, or internal services, compromise can create a direct path into sensitive enterprise workflows.

Organizations using Ollama should upgrade affected instances, restrict network access, and audit whether any servers are reachable from the internet. Instances should be placed behind a firewall, authentication proxy, or API gateway, especially in shared development or enterprise environments. Windows users should disable automatic updates where recommended, remove Ollama from the Startup folder as a temporary mitigation, and monitor for unexpected binaries or update artifacts in user startup paths.

The recent Ollama disclosures show how AI infrastructure is becoming part of the attack surface rather than a separate category of tooling. As organizations adopt local model runners for privacy, performance, and development speed, they also need to apply the same controls expected of production services: authentication, patching, exposure management, logging, and containment. Without those controls, a local AI server can become another place where sensitive data collects, persists, and becomes available to attackers.

Canvas Breach Update: Instructure Says Core Learning Data Was Not Compromised as Forensic Review Continues

As of May 11, Instructure has confirmed that Canvas is fully back online after a security incident that disrupted schools and universities during finals week, but the company’s investigation is still ongoing and customer-specific findings may take weeks to complete.

The latest Instructure update narrows the confirmed scope of the incident while still leaving open questions about affected organizations and individual users. Instructure said the incident involved unauthorized access to part of its environment, with exposed data fields including usernames, email addresses, course names, enrollment information, and messages. The company said core learning data, including course content, submissions, and credentials, was not compromised.

The company also confirmed that the access path involved a vulnerability connected to support tickets in its Free for Teacher environment. Instructure has temporarily disabled Free for Teacher accounts while it completes a full security review. That detail updates earlier reporting that linked the incident more broadly to Free-For-Teacher accounts and clarifies that the issue involved the support ticket environment tied to those accounts.

The breach unfolded in two public phases. Instructure first detected unauthorized activity in Canvas on April 29, revoked the unauthorized party’s access, opened an investigation, and brought in outside forensic experts. On May 7, the company identified more unauthorized activity tied to the same incident, after the threat actor changed pages that appeared when some students and teachers were logged into Canvas. Instructure then placed Canvas into maintenance mode to contain the activity, investigate, and apply added safeguards.

The May 7 activity produced the most visible disruption. Reuters reported that students at schools including Harvard, the University of Pennsylvania, Duke, UCLA, and the University of Nebraska were blocked from Canvas after users were redirected to a ShinyHunters message. The same report said the message claimed responsibility for the breach and directed schools to contact the group before May 12.

Instructure now says it has not found evidence that data was taken during the May 7 activity. The company’s current position is that the May 7 event involved unauthorized changes to pages seen by some logged-in users, rather than a confirmed second round of data theft. The investigation is still underway, and Instructure says it will share more once findings are verified.

The data confirmed by Instructure has changed somewhat from the earliest public descriptions. Earlier updates identified names, email addresses, student ID numbers, and messages among Canvas users at affected organizations. The May 11 incident page now lists usernames, email addresses, course names, enrollment information, and messages, and states that core learning data was not compromised. The company previously said it had found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.

Instructure also said it has engaged CrowdStrike to support the forensic analysis and provide recommendations for hardening its environment. The company has brought in another vendor to conduct a full e-discovery review of the involved data, but warned that process is expected to take weeks. That means affected schools may not receive final user-level or organization-level detail immediately.

The company says impacted organizations began receiving notices on May 5. Instructure also said that organizations that have not received direct notice have not, at this point, been found to have data involved, though the investigation remains active. This point matters for schools responding to public lists circulated by ShinyHunters or shared on social media, since those claims may not match verified forensic findings.

The operational impact remains significant. The Associated Press reported that the outage hit during final exam periods, leaving students unable to access grades, assignments, course notes, lecture videos, and other materials. Some schools issued warnings to students, and the University of Texas at San Antonio pushed back Friday finals in response to the outage.

The University of California system said Canvas login pages at UC locations displayed a suspicious message from the threat actor, prompting UC to temporarily block or redirect Canvas access. By May 9, UC said Instructure had advised that the incident was contained and remediated, and UC locations were making risk-based decisions about when to restore Canvas access based on operational needs.

Instructure’s status page also reflects the recovery posture. As of May 11, the status page showed Canvas under a partial outage, Canvas LMS under maintenance, and Student ePortfolios under partial outage, even as the company’s incident page stated that Canvas is fully back online and available for use. The status page also recorded two May 11 service issues unrelated to the original breach: New Quizzes UI elements not loading and slowness when accessing Canvas, both marked resolved.

The company has outlined several containment and hardening steps. Instructure says it revoked privileged credentials and access tokens tied to affected systems, deployed platform protections, rotated internal keys, restricted token creation pathways, and added monitoring across its platforms. It also said its external forensic partner reviewed known indicators and found no evidence that the threat actor currently has access to the platform.

For schools and universities, the near-term concern is follow-on phishing. Instructure is advising students, parents, employees, and affected organizations to be cautious of unexpected emails or messages referencing the incident, avoid suspicious links, and report unusual activity to their school or institution’s IT or security team. The University of California issued similar guidance, warning users to watch for unexpected messages that appear to come from UC and reminding users that the university will not ask for passwords, Social Security numbers, birthdates, or bank account information through email, text, or phone.

For SOC teams, the updated picture points to a vendor compromise with direct local exposure risk. Security teams should monitor for Canvas-themed phishing, suspicious SSO activity, unusual administrative actions, unexpected API token use, new OAuth grants, and help desk requests tied to Canvas access, breach notifications, or account resets. Instructure is not recommending broad new customer-side remediation solely tied to the May 7 activity unless it contacts a customer directly, but it does recommend normal monitoring of Canvas environments, integrations, and administrative activity.

How Can Netizen Help?

Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

Posted in , , , ,

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.